This buggy WordPress plugin allows hackers to lace websites with malicious code
By Joel Khalili 2 days ago
Attackers can also abuse the flaw to create administrator accounts
(Image credit: Shutterstock / Magura)
Security researchers have identified a flaw in the Real-Time Find and Replace WordPress plugin that could allow hackers to lace websites with malicious code.
The affected plugin affords WordPress users the ability to edit website code and text content in real-time, without having to go into the backend – and reportedly features on over 100,000 sites.
Uncovered by threat analysts at Wordfence, the exploit manipulates a Cross-Site Request Forgery (CSRF) flaw in the plugin, which the hacker can use to push infected content to the website and create new admin accounts.
- More popular WordPress plugins are being attacked
- Flawed WordPress popup plugin allows attackers to inject code
- WordPress to add auto-update feature for themes and plugins
The bug reportedly affects all iterations of the plugin up to version 3.9.RECOMMENDED VIDEOS FOR YOU…